Effective Date: March 12, 2026 · Last Updated: March 12, 2026
This Privacy Policy describes how MIRRORA L.P. (“Mirrora,” “we,” “us,” or “our”) collects, uses, retains, and protects personal data in connection with the Reclaim application (the “App” or “Service”).
MIRRORA L.P. is a limited partnership registered under Greek law, with its registered office at Praxitelous 24, 35131, Lamia, Greece. Mirrora is the data controller for personal data collected directly from merchants in connection with their use of the Service, as described in this Policy.
This Policy applies exclusively to the Reclaim application and the data Mirrora collects and processes in that context. It does not govern the mirrora.ai website, which is covered by a separate privacy policy.
This Policy should be read alongside our Terms of Service, available at mirrora.ai/reclaim-terms, which governs the contractual relationship between Mirrora and merchants and sets out our obligations as a data processor when handling merchant customers’ personal data on the merchant’s behalf.
Reclaim involves two legally distinct data processing relationships, and it is important to understand which applies:
When you install and use the App, Mirrora collects certain personal data about you as a merchant — such as your store domain, contact details, and billing information — to provide and manage the Service. For this data, Mirrora acts as the data controller and this Policy sets out your rights and our obligations.
In delivering the Service, Mirrora also processes personal data belonging to your customers (such as order and customer records from your Shopify store) on your behalf. For this data, you are the data controller and Mirrora acts as your data processor, processing only on your instructions and only for the purposes set out in our Terms of Service. Your customers’ rights in relation to this data must be addressed through your own privacy notices. If your customers contact Mirrora directly with data rights requests, we will refer them to you and assist you in responding.
Sections 3 through 9 of this Policy address relationship 2.1 — Mirrora’s processing of merchant account data as controller. Our obligations as processor under relationship 2.2 are governed by our Terms of Service (Section 6) and the Data Processing Addendum available on request.
We collect the following categories of personal data about merchants, directly or through the Shopify installation process:
| Category | Examples |
|---|---|
| Account and identity data | Store owner name, store domain, email address associated with the Shopify account |
| Billing and payment data | Subscription plan, billing status, and a payment processor reference ID generated by our billing system. We do not store full payment card details — these are handled directly by our payment processor. |
| Usage and configuration data | App settings, onboarding status, consent records (including AI training consent), checkout type selection, and feature usage patterns |
| Communication data | Content of support requests and correspondence sent to hello@mirrora.ai |
| Retention data (post-uninstall) | Your store’s public domain and an internal payment processor reference ID, retained after uninstallation solely to enforce our one-trial-per-merchant policy (see Section 6) |
When you first install the App and complete the setup flow, Reclaim performs a one-time historical sync of your store’s order data for up to the preceding ninety (90) days. This sync retrieves the same categories of order and customer data described in Section 2.2 (which we process as your data processor), and is necessary to populate the AI Commerce Gap analytics from the moment of installation. Without this historical baseline, the Service cannot provide meaningful analytics at the outset. After the initial sync, Reclaim receives new order data incrementally via Shopify webhooks as orders are created or updated. The historical sync data is subject to the same retention and deletion rules as all other order and customer data (see Section 5).
We do not knowingly collect special categories of personal data (as defined under GDPR Article 9) from merchants, and the Service is not directed at individuals under the age of eighteen.
We process merchant personal data for the following purposes, each supported by the lawful basis identified below:
| Purpose | Lawful Basis | Details |
|---|---|---|
| Providing and managing the Service | Contract (GDPR Art. 6(1)(b)) | Processing necessary to install the App, authenticate your store, deliver the features of your subscription tier, and manage your account. |
| Onboarding historical data sync | Contract (GDPR Art. 6(1)(b)) | On first installation, we perform a one-time sync of up to 90 days of historical order data from your Shopify store. This processing is necessary to deliver the core analytics functionality of the Service from the moment of installation. Without the historical baseline, the Service cannot identify the AI Commerce Gap or provide any meaningful analytics output. |
| Billing and subscription management | Contract (GDPR Art. 6(1)(b)) | Processing necessary to manage your subscription, collect payments, issue receipts, and administer plan changes or cancellations. |
| Trial abuse prevention | Legitimate interest (GDPR Art. 6(1)(f)) | We retain your store domain and an internal billing reference after uninstallation to enforce our one-trial-per-merchant policy. Our legitimate interest is preventing systematic abuse of promotional terms. This interest is not overridden by your interests or rights given the minimal nature of the data retained. |
| Customer support | Contract / Legitimate interest (GDPR Art. 6(1)(b) and (f)) | Processing necessary to respond to support requests and resolve technical issues. |
| Security and fraud prevention | Legitimate interest (GDPR Art. 6(1)(f)) | Processing necessary to detect, prevent, and address fraud, abuse, and security incidents affecting the Service. |
| Legal compliance | Legal obligation (GDPR Art. 6(1)(c)) | Processing necessary to comply with applicable law, including data subject rights requests, regulatory obligations, and Shopify Partner Program Agreement requirements. |
| AI model training (optional) | Consent (GDPR Art. 6(1)(a)) | Only where you have separately and explicitly opted in during setup. This consent is entirely voluntary, can be withdrawn at any time via Settings, and has no effect on your access to the Service if withheld or withdrawn. See Section 7. |
We retain personal data for no longer than is necessary for the purposes for which it was collected. The following retention periods apply:
| Data Category | Retention Period |
|---|---|
| Merchant account and configuration data | Duration of active installation, plus a twenty-four (24)-hour grace period following uninstallation to allow for reinstallation without data loss. Permanently deleted at the end of the grace period if no reinstallation occurs. |
| Your customers’ data (order, customer, and product records processed on your behalf) | Same as above: deleted at the end of the twenty-four (24)-hour post-uninstall grace period. |
| Billing records | Retained for the period required by applicable accounting and tax law (typically seven years under Greek law), but limited to the data required for that legal obligation. |
| Support correspondence | Retained for two years from the date of last correspondence, then deleted. |
| Operational and system logs | Same as customers' data: deleted at the end of the twenty-four (24)-hour post-uninstall grace period. |
| Post-uninstall retention data (store domain + billing reference) | Retained indefinitely for trial abuse prevention. Contains no order data, customer data, or contact information. You may request confirmation or deletion of this record at hello@mirrora.ai; deletion requests will be honored unless our legitimate interest in retaining the record outweighs your interests in the specific circumstances. |
| AI training models (if consent given) | Deleted within 60 days of consent withdrawal or account termination. |
| Deletion job audit record | Following the completion of the post-uninstall data deletion job, a minimal record of that job is retained as an audit trail to demonstrate that deletion was carried out. This record contains a job identifier, the merchant’s store domain, timestamps, and job status. It does not contain order data, customer data, or any personal information of your customers. It is retained for the period necessary to satisfy our legal obligations to demonstrate GDPR compliance and to respond to any regulatory inquiry. |
| Anonymized aggregate statistics | May be retained indefinitely; they contain no information that could identify any individual merchant, customer, or order. |
We share merchant personal data with the following third-party service providers (“sub-processors”) who process it on our behalf, subject to written data processing agreements that impose data protection obligations no less protective than those in this Policy:
| Sub-processor | Location | Purpose and Data Involved |
|---|---|---|
| Cloud infrastructure provider (Railway) | United States | Hosts the App, database, and all data processed by the Service. All merchant and customer data passes through or is stored on this infrastructure. Transfer mechanism: EU Standard Contractual Clauses. |
| Payment processor (Stripe, Inc.) | United States | Processes Pro Plan subscription payments. Receives billing and payment data. Does not receive order or customer data from your store. Transfer mechanism: EU Standard Contractual Clauses and Stripe’s own adequacy frameworks. |
We do not sell, rent, or share your personal data with any third party for their own marketing or commercial purposes. We do not use your data for cross-context behavioral advertising.
We will notify you of material changes to our sub-processor list at least thirty (30) days in advance via email or in-app notification.
We may disclose personal data if required to do so by law, court order, or regulatory authority, or where necessary to protect the rights, property, or safety of Mirrora, our merchants, or others. Where legally permitted, we will notify you before making such a disclosure.
In the event of a merger, acquisition, or sale of all or substantially all of Mirrora’s business, personal data may be transferred to the acquiring entity, subject to the same protections as set out in this Policy. We will notify you of any such transfer and your rights in connection with it.
By default, we do not use your data — or your customers’ data — to train any artificial intelligence or machine learning model. This applies in all forms, including aggregated or anonymized data, and regardless of whether any other merchant has provided consent. Our obligations under Section 9.15 of the Shopify Partner Program Agreement make this prohibition absolute with respect to any cross-merchant model.
If you separately and explicitly opt in during the App setup flow, we may use your store’s data to train models that operate exclusively for your store, with the sole purpose of improving the accuracy and relevance of the Service for your specific store. These models are never shared with, transferred to, or used for the benefit of any other merchant or any general-purpose system.
The legal basis for this processing is your consent (GDPR Article 6(1)(a)). Your consent is:
You may withdraw consent at any time via the Settings page in the App. Upon withdrawal: we cease using your data for any new model training immediately; any model trained on your data is permanently deleted within 60 days; and your access to all features of the Service is unaffected. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Mirrora is based in Greece (European Union). Our sub-processors are based in the United States, which does not have an EU adequacy decision for general data transfers. Where we transfer personal data from the EEA or the UK to the United States or other third countries, we rely on the following safeguards:
Copies of the applicable transfer mechanisms may be obtained by contacting hello@mirrora.ai.
If you are located in the European Economic Area or the United Kingdom, you have the following rights in relation to personal data for which Mirrora is the controller:
| Right | What It Means in Practice |
|---|---|
| Access (Art. 15) | You may request a copy of the personal data we hold about you and information about how we process it. |
| Rectification (Art. 16) | You may ask us to correct inaccurate or incomplete personal data. |
| Erasure (Art. 17) | You may ask us to delete your personal data where we no longer have a lawful basis to retain it. Note: the post-uninstall retention data (store domain and billing reference) may be retained where our legitimate interest in preventing trial abuse outweighs your erasure request. |
| Restriction (Art. 18) | You may ask us to restrict processing of your personal data in certain circumstances, such as while a rectification request is pending. |
| Portability (Art. 20) | You may request a copy of personal data you provided to us in a structured, commonly used, machine-readable format, where processing is based on consent or contract. |
| Objection (Art. 21) | You may object to processing based on legitimate interest. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests. |
| Withdrawal of consent (Art. 7(3)) | Where processing is based on your consent (AI training only), you may withdraw consent at any time via Settings without affecting your access to the Service. |
| Lodge a complaint | You have the right to lodge a complaint with a supervisory authority. In Greece, the competent authority is the Hellenic Data Protection Authority (HDPA, www.dpa.gr). You may also lodge a complaint with the supervisory authority in your country of residence. |
If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the CPRA):
To exercise any of the above rights, contact us at hello@mirrora.ai. We will respond within 45 days as required by law, with one possible 45-day extension where reasonably necessary.
If you are located in Canada, you have the right to access personal information we hold about you and to challenge its accuracy. You also have the right to withdraw consent for processing based on consent, to the extent that withdrawal does not affect processing already completed. To exercise these rights, contact hello@mirrora.ai.
To exercise any right under this Section, contact us at hello@mirrora.ai with sufficient information to identify your account (your store domain is sufficient). We will respond within the timeframe required by applicable law and will not charge a fee unless your request is manifestly unfounded or excessive.
We may need to verify your identity before processing certain requests. We will ask for the minimum information necessary for verification.
We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include encryption of data in transit and at rest, role-based access controls, and written confidentiality obligations for personnel with access to production data.
No security measure is absolute. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33.
The Reclaim App itself does not use third-party tracking cookies, advertising pixels, or session recording tools. It uses only session tokens and strictly necessary cookies required for authentication and secure operation of the App within the Shopify Admin environment. No consent is required for these cookies under the EU ePrivacy Directive.
The mirrora.ai marketing website may use separate cookies, which are disclosed in the website’s own Cookies Policy.
The Service is intended solely for use by businesses and is not directed at individuals under the age of eighteen. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will delete it promptly. If you believe we may have collected data from a minor, please contact hello@mirrora.ai.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Service. For material changes, we will provide at least thirty (30) days’ advance notice via email or in-app notification before the change takes effect. The updated Policy will be published at mirrora.ai/reclaim-privacy with a revised effective date.
Where a change requires your consent (for example, a new processing purpose based on consent), we will seek that consent before the change takes effect.
For any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal data:
MIRRORA L.P.
Praxitelous 24, 35131, Lamia, Greece
Data protection and legal: hello@mirrora.ai
Support: hello@mirrora.ai
Website: mirrora.ai
We aim to acknowledge all privacy-related inquiries within five business days and to respond substantively within the timeframe required by applicable law.
If you are located in the EEA and believe that our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Mirrora is:
Hellenic Data Protection Authority (HDPA)
Kifissias 1–3, 115 23 Athens, Greece
www.dpa.gr
You may also lodge a complaint with the supervisory authority in your country of establishment or habitual residence.